[MEDIUM] Shopware: Admin Account Takeover via User Recovery Hash Exposure

PKSA-946b-qy3w-67d7 CVE-2026-48009 GHSA-8v9p-g828-v98f

Affected package: shopware/core

Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1

Reported by:
GitHub